1282 matches found
CVE-2026-46687
Emlog is an open source website building system. In 2.6.13 and earlier, the article publishing interface stores a path-traversal template parameter from apicontroller.php without validation, and logcontroller.php later checks fileexists and calls include View::getView$template, allowing an...
Aquatronica Controller System <= 5.1.6 - Information Disclosure
Aquatronica Controller System firmware 5.1.6 and earlier and web interface 2.0 and earlier contain an information disclosure vulnerability caused by unauthenticated access to tcp.php endpoint, letting remote attackers retrieve sensitive configuration data including plaintext credentials, exploit...
WordPress Restrict User Access <= 2.5 - Cross-Site Scripting
WordPress Restrict User Access – Membership Plugin with Force versions before 2.6 is vulnerable to Reflected Cross-Site Scripting via the 'ruasection' parameter in the admin level edit page. id: CVE-2024-29138 info: name: WordPress Restrict User Access = 2.5 - Cross-Site Scripting author: Shivam...
CVE-2026-15651 WP TripAdvisor Review Slider <= 14.6 - Authenticated (Administrator+) SQL Injection via 'filtersource' Parameter
The WP TripAdvisor Review Slider plugin for WordPress is vulnerable to generic SQL Injection via the 'filtersource' parameter in all versions up to, and including, 14.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...
CVE-2026-15097
The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'heightslider' Slider Module Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Improper Certificate Validation
Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to improper enforcement of the Certificate Revocation List on the gRPC listener when separate listeners are configured for HTTP and gRPC client endpoints. An attacker can gain unauthorized access and...
CVE-2026-53013 affecting package kernel for versions less than 6.6.143.1-1
CVE-2026-53013 affecting package kernel for versions less than 6.6.143.1-1. An upgraded version of the package is available that resolves this issue...
CVE-2026-55668
The CVE affects File Browser’s ScopedFs component prior to version 2.63.16. An authenticated user with Create and Modify permissions can trigger ScopedFs to validate the nearest existing ancestor of a dangling symlink and then follow the symlink during file creation, allowing attacker‑controlled ...
CVE-2026-14500
The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 1.6. This is due to the bouwfetchcsvdata AJAX handler being registered on the wpajaxnopriv hook with no capability or nonce check, and passing the attacker-supplied...
CVE-2026-49229
Affected software: Actual, a local-first personal finance app. Vulnerability summary: In OpenID multi-user mode prior to 26.6.0, disabling a user blocks future OpenID logins but does not revoke existing session tokens. The shared session validation path accepts any non-expired token, allowing a d...
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints
Am I affected? Users are affected if all of the following are true: - Their application uses @better-auth/sso at a version = 0.1.0, 1.6.11 on the stable line, or any 1.7.0-beta.x on the pre-release line. - The sso plugin is added to their application's betterAuth plugins: ... array. - Any user wi...
PT-2026-55863
Name of the Vulnerable Software and Affected Versions Notifications for Forms & WordPress Actions versions prior to 2.6 Description Authenticated users with subscriber-level access and above can include and execute arbitrary local PHP files on the server. This occurs because the plugin fails to...
CVE-2026-57357
Unauthenticated Cross Site Scripting XSS in Search Atlas SEO = 2.6.6 versions...
CVE-2026-57357
Unauthenticated Cross Site Scripting XSS in Search Atlas SEO = 2.6.6 versions...
CVE-2026-27425
Unauthenticated Cross Site Scripting XSS in Automotive Listings = 18.6 versions...
CVE-2026-13459
The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...
PT-2026-54978
Unauthenticated Cross Site Scripting XSS in Automotive Listings = 18.6 versions...
GHSA-6Q7J-XR26-3H2C Scriban: ExpressionDepthLimit guard is non-enforcing — parser-recursion DoS in 6.6.0–7.2.0 (incomplete fix for GHSA-wgh7-7m3c-fx25 / GHSA-p6q4-fgr8-vx4p)
Summary The ExpressionDepthLimit parser guard in Scriban does not actually stop parsing — it only logs a non-fatal error and lets recursive descent continue. As a result, a template containing a deeply nested expression parentheses, array initializers, object initializers, or unary operators driv...
EUVD-2026-39778
Mattermost Plugins versions =11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries...
CVE-2026-56069
This CVE concerns the WordPress Toolset Forms plugin (versions up to 2.6.24). The issue is an Unauthenticated Insecure Direct Object Reference (IDOR) in Toolset Forms, allowing access to objects without authentication. The CVSS 3.1 vector indicates network attack, low attack complexity, no privil...